IcoFX [1] is prone to a (client side) security vulnerability when
processing .ICO files. This vulnerability could be exploited by a remote
attacker to execute arbitrary code on the target machine, by enticing
the user of IcoFX to open a specially crafted icon file.

4. *Vulnerable Packages*

. IcoFX v2.5.0.0 for Windows.
. Other versions are probably affected too, but they were not checked.

5. *Vendor Information, Solutions and Workarounds*

There was no official answer from vendor after several attempts to
report this vulnerability (see [Sec. 8]). As mitigation action, given
that this is a client-side vulnerability, avoid to open untrusted ICO
files. Contact vendor for further information.

6. *Credits*

This vulnerability was discovered and researched by Marcos Accossatto
from Core Exploit Writers Team. The publication of this advisory was
coordinated by Fernando Miranda from Core Advisories Team.

7. *Technical Description / Proof of Concept Code*

Below is shown the result of opening the maliciously crafted file
'CORE-2013-1107-icofx-poc.ico'[2] on Windows XP SP3 (EN).

The vulnerable function is located in 0x80D9F8. By loading the PoC, the
loop [0x80DA74, 0x80DA93] fills the buffer and overwrite the Exception
Handler:

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.

11. *About Core Security Technologies*

Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.a
sc.